Have you heard about Purple Teaming, but you were unsure of exactly what it is? Maybe you've heard it explained as "the red and blue teams working together to improve the organization's security posture." While that may be a good high level description of Purple Teaming as a concept, it lacks a clear direction of how this outcome is achieved. As they say, "The Devil is in the details." At SpecterOps, we believe that a Purple Team exercise is one that leverages an adversarial mindset to evaluate the overall efficacy of security controls, whether they are detective or preventative.
Join us for an hour-long webinar where we will dive into the major questions regarding Purple Team including:
- Why small changes in adversary tradecraft have a profound effect on detectability.
- How to map variations between tools that implement the same technique.
- How to construct a representative sample set of test cases.
3. What is Purple Teaming?
• A function designed to enhance the information sharing between – and the
ultimate effectiveness of – an organization’s Red and Blue Teams. The ultimate
purpose of improving the organization’s defenses.
• Daniel Miessler
• A blue team becomes “purple” when it emulates the adversary as a means of
self-evaluation.
• Jonathan Reiber
• [Purple Teaming] refers to multiple cybersecurity teams working together to
improve an organization’s security posture…
• Xena Olsen
• Actively pinpoint weaknesses in protection and detection capabilities.
• TIBER-EU
• Enables defenders to gain better understanding of adversary TTP.
• Cristian Pescariu (Pluralsight)
3
https://github.com/ch33r10/EnterprisePurpleTeaming
12. Similarity
• What does it mean for two malware samples to be the SAME?
• How can we measure similarity?
• Cryptographic Hashes (MD5, SHA1, SHA256)
• Only measure ABSOLUTE similarity
• There’s no way to determine if one bit changed or if the entire sample is different.
• Piecewise and Fuzzy Hashing1
• Generate traditional hash, but also generate hash values for segments of files.
• This assumes that changes will be localized to certain locations (change mimikatz to
mimidogz).
• Imphash2
• Idea that Portable Executables that import the same API functions are probably similar in
function despite changes to less significant bits.
• Still lacks ability to distinguish between small and large changes.
12
1. https://www.sciencedirect.com/science/article/pii/S1742287606000764?via%3Dihub
2.https://www.mandiant.com/resources/blog/tracking-malware-import-hashing
This slide just helps to provide evidence to the claim that organizations and/or detection engineers are interested in understanding how much coverage their security controls (preventative and detective) provide, specifically focused on organic controls as opposed to vendor provided controls. This is an attempt to measure how well each technique is covered. An alternative to this is ATT&CK Navigator. We could also potentially discuss my work with Endgame on this topic back in the Air Force.
Mismatch of evaluation/treatment protocol similar to A/V is dead conversations.
Process Open
Sysmon 10
Windows Event 4656 (SACL)
MDE OpenProcessApiCall ActionType
Memory Allocate
MDE NtAllocateVirtualMemoryApiCall
MDE NtAllocateVirtualMemoryRemoteApiCall
Process Write
MDE WriteProcessMemoryApiCall
Thread Create
MDE CreateRemoteThreadApiCall
Process Open
Sysmon 10
Windows Event 4656 (SACL)
MDE OpenProcessApiCall ActionType
Memory Allocate
MDE NtAllocateVirtualMemoryApiCall
MDE NtAllocateVirtualMemoryRemoteApiCall
Process Write
MDE WriteProcessMemoryApiCall
Thread Create
MDE CreateRemoteThreadApiCall